fetch_ml

jfraeysd/fetch_ml

Fork 0

Commit graph

Author	SHA1	Message	Date
Jeremie Fraeys	412d7b82e9	security: implement comprehensive secrets protection Critical fixes: - Add SanitizeConnectionString() in storage/db_connect.go to remove passwords - Add SecureEnvVar() in api/factory.go to clear env vars after reading (JWT_SECRET) - Clear DB password from config after connection Logging improvements: - Enhance logging/sanitize.go with patterns for: - PostgreSQL connection strings - Generic connection string passwords - HTTP Authorization headers - Private keys CLI security: - Add --security-audit flag to api-server for security checks: - Config file permissions - Exposed environment variables - Running as root - API key file permissions - Add warning when --api-key flag used (process list exposure) Files changed: - internal/storage/db_connect.go - internal/api/factory.go - internal/logging/sanitize.go - internal/auth/flags.go - cmd/api-server/main.go	2026-02-18 16:18:09 -05:00
Jeremie Fraeys	db7fbbd8d5	refactor: Phase 5 - split API package into focused files Reorganized internal/api/ package to follow single-concern principle: - api/factory.go (new file, 257 lines) - Extracted component initialization from server.go - initializeComponents(), setupLogger(), initExperimentManager() - initTaskQueue(), initDatabase(), initDatabaseSchema() - initSecurity(), initJupyterServiceManager(), initAuditLogger() - api/middleware.go (new file, 31 lines) - Extracted wrapWithMiddleware() - security middleware chain - Centralized auth, rate limiting, CORS, security headers - api/server.go (reduced from 446 to 212 lines) - Now focused on Server lifecycle: NewServer, Start, WaitForShutdown, Close - Removed initialization logic (moved to factory.go) - Removed middleware wrapper (moved to middleware.go) - api/metrics_middleware.go (existing, 64 lines) - Already had wrapWithMetrics(), left in place Lines redistributed: ~180 lines from monolithic server.go Build status: Compiles successfully	2026-02-17 13:11:02 -05:00

Author

SHA1

Message

Date

Jeremie Fraeys

412d7b82e9

security: implement comprehensive secrets protection

Critical fixes:
- Add SanitizeConnectionString() in storage/db_connect.go to remove passwords
- Add SecureEnvVar() in api/factory.go to clear env vars after reading (JWT_SECRET)
- Clear DB password from config after connection

Logging improvements:
- Enhance logging/sanitize.go with patterns for:
  - PostgreSQL connection strings
  - Generic connection string passwords
  - HTTP Authorization headers
  - Private keys

CLI security:
- Add --security-audit flag to api-server for security checks:
  - Config file permissions
  - Exposed environment variables
  - Running as root
  - API key file permissions
- Add warning when --api-key flag used (process list exposure)

Files changed:
- internal/storage/db_connect.go
- internal/api/factory.go
- internal/logging/sanitize.go
- internal/auth/flags.go
- cmd/api-server/main.go

2026-02-18 16:18:09 -05:00

Jeremie Fraeys

db7fbbd8d5

refactor: Phase 5 - split API package into focused files

Reorganized internal/api/ package to follow single-concern principle:

- api/factory.go (new file, 257 lines)
  - Extracted component initialization from server.go
  - initializeComponents(), setupLogger(), initExperimentManager()
  - initTaskQueue(), initDatabase(), initDatabaseSchema()
  - initSecurity(), initJupyterServiceManager(), initAuditLogger()

- api/middleware.go (new file, 31 lines)
  - Extracted wrapWithMiddleware() - security middleware chain
  - Centralized auth, rate limiting, CORS, security headers

- api/server.go (reduced from 446 to 212 lines)
  - Now focused on Server lifecycle: NewServer, Start, WaitForShutdown, Close
  - Removed initialization logic (moved to factory.go)
  - Removed middleware wrapper (moved to middleware.go)

- api/metrics_middleware.go (existing, 64 lines)
  - Already had wrapWithMetrics(), left in place

Lines redistributed: ~180 lines from monolithic server.go
Build status: Compiles successfully

2026-02-17 13:11:02 -05:00

2 commits